Enterprise Linux (RHEL) Red Hat Enterprise Linux (RHEL)

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in Red Hat Enterprise Linux (RHEL).

Recent Red Hat Enterprise Linux (RHEL) Security Advisories

Advisory Title Published
RHSA-2026:33531 (RHSA-2026:33531) Red Hat Enterprise Linux AI 3.4.1 enhancement update June 30, 2026
RHSA-2026:33524 (RHSA-2026:33524) Red Hat Enterprise Linux AI 3.4.1 enhancement update June 30, 2026
RHSA-2026:17611 (RHSA-2026:17611) Red Hat Enterprise Linux AI 3.3.3 May 14, 2026
RHSA-2026:17609 (RHSA-2026:17609) Red Hat Enterprise Linux AI 3.3.3 May 14, 2026
RHSA-2026:10141 (RHSA-2026:10141) Red Hat Enterprise Linux AI 3.3.1 April 23, 2026
RHSA-2026:10140 (RHSA-2026:10140) Red Hat Enterprise Linux AI 3.3.1 April 23, 2026
RHSA-2025:19429 (RHSA-2025:19429) Red Hat Enterprise Linux AI 1.5 (NVIDIA) November 3, 2025
RHSA-2025:19427 (RHSA-2025:19427) Red Hat Enterprise Linux AI 1.5 (AMD) November 3, 2025
RHSA-2025:19430 (RHSA-2025:19430) Red Hat Enterprise Linux AI 1.5 (NVIDIA) November 3, 2025
RHSA-2025:19426 (RHSA-2025:19426) Red Hat Enterprise Linux AI 1.5 (NVIDIA) November 3, 2025

By the Year

In 2026 there have been 929 vulnerabilities in Red Hat Enterprise Linux (RHEL) with an average score of 7.3 out of ten. Last year, in 2025 Enterprise Linux (RHEL) had 213 security vulnerabilities published. That is, 716 more vulnerabilities have already been reported in 2026 as compared to last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.76.




Year Vulnerabilities Average Score
2026 929 7.30
2025 213 6.54
2024 172 6.35
2023 211 6.37
2022 175 6.74
2021 148 6.51
2020 104 6.35
2019 293 6.21
2018 113 7.02

It may take a day or so for new Enterprise Linux (RHEL) vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Red Hat Enterprise Linux (RHEL) Security Vulnerabilities

Samba pam_winbind: chown / via mkhomedir Availability loss
CVE-2026-15779 6.1 - Medium - July 15, 2026

A flaw was found in samba's pam_winbind. When mkhomedir is enabled, pam_winbind chowns the target account's home directory without validating the path is not a critical system directory such as /. On affected systems, accounts with / as their home directory (a common default for system accounts) can have this triggered not only by root, but by a non-root user holding a narrow sudo delegation to run commands as that account, causing ownership of / to change and resulting in severe denial of service (SSH, sudo, and package-manager failures). The change does not grant write access to / (which ships with restrictive 0555 permissions on RHEL), so the impact is availability loss rather than further privilege escalation.

Incorrect Permission Assignment for Critical Resource

libsoup OOB Read in multipart boundary parsing
CVE-2026-15714 6.5 - Medium - July 14, 2026

An out-of-bounds read vulnerability was found in libsoup's multipart processing subsystem. The flaw exists in the soup_multipart_input_stream_read_headers() function inside soup-multipart-input-stream.c, which does not adequately restrict or validate the size of incoming multipart boundary strings. When processing a crafted HTTP response containing a malformed or oversized boundary parameter, the internal stream reader reads past the allocated buffer bounds. A remote, unauthenticated attacker can exploit this behavior to cause a service denial (DoS) through application failure or potentially read fragments of unauthorized memory metadata.

Out-of-bounds Read

libsoup HTTP/2 Memory Leak Causing OOM DoS by Remote Peer
CVE-2026-15713 5.9 - Medium - July 14, 2026

A vulnerability was found in libsoup's HTTP/2 protocol implementation. The library fails to correctly release memory context blocks under specific stream termination conditions, such as when an HTTP/2 connection encounters window exhaustion or explicit stream resets. A remote, unauthenticated attacker acting as a malicious network peer can trick the connection engine into allocating stream states that are subsequently leaked during cleanup. Over a sustained period, this flaw allows the remote attacker to consume the system's heap allocations incrementally, triggering a denial of service (DoS) through an ultimate Out-of-Memory (OOM) application crash.

Missing Release of Resource after Effective Lifetime

libsoup WebSocket Frame Length Validation DoS
CVE-2026-15711 7.5 - High - July 14, 2026

A vulnerability was found in libsoup's WebSocket frame parsing implementation. The library fails to validate length rules specified in RFC 6455 §5.5, which mandates that all WebSocket control frames (e.g., PING, PONG, CLOSE) contain a payload of 125 bytes or less. A remote, unauthenticated attacker can exploit this by sending a non-compliant, oversized control frame. Because the parser handles this protocol violation improperly instead of throwing an immediate connection termination error, it triggers a internal processing crash, resulting in a remote denial of service (DoS) for applications utilizing libsoup WebSockets.

Allocation of Resources Without Limits or Throttling

libsoup WebSocket permessage-deflate OOM DoS via decompression bomb
CVE-2026-15709 7.5 - High - July 14, 2026

A flaw was found in libsoup's WebSocket implementation when using the permessage-deflate extension. The extension's decompression loop (inflate()) processes data in chunks without enforcing an upper boundary limit on the output buffer size. While libsoup limits the incoming compressed frame size via max_incoming_payload_size, it fails to track or limit memory allocation during decompression. A separate check for decompressed size (max_total_message_size) exists but executes only after inflation is complete, and it is entirely disabled by default for client connections. A remote, unauthenticated attacker can exploit this by sending a small, highly compressed payload (a decompression bomb), causing unbounded memory allocation that triggers an Out-of-Memory (OOM) crash and a Denial of Service (DoS).

Data Amplification

libsoup HTTP/2 GOAWAY Frame Heap Buffer Overread (CVE-2026-15712)
CVE-2026-15712 5.9 - Medium - July 14, 2026

A heap buffer over-read vulnerability was discovered in libsoup's (versions: libsoup 3.0 to 3.7.0) HTTP/2 connection tracking framework. When the library processes an HTTP/2 GOAWAY frame, it improperly handles the "Additional Debug Data" payload by assuming the data stream is a safely NUL-terminated C-string. Because the parser lacks strict length-boundary verification before reading this data, a remote, unauthenticated attacker can intentionally send a malformed GOAWAY frame missing the appropriate null delimiter. This causes the library to read past the end of the allocated buffer, triggering an application crash that results in a denial of service (DoS), or potentially exposing fragments of memory contents.

Out-of-bounds Read

libsoup 3.6.6 Integer Overflow in Unmasked WebSocket Frames (Red Hat)
CVE-2026-12478 4.8 - Medium - July 14, 2026

The fix for CVE-2026-0716 (commit 6ff7ef0, libsoup 3.6.6) placed the integer overflow guard inside the if (masked) block, leaving unmasked server-to-client frames unprotected. A malicious WebSocket server can send a crafted unmasked frame with a payload length near UINT64_MAX to trigger an OOB read in a libsoup-based client when max_incoming_payload_size is set to 0.

Out-of-bounds Read

Heap Overflow in libarchive PAX Header Parsing
CVE-2026-15028 3.9 - Low - July 10, 2026

A flaw was found in libarchive. This vulnerability allows a remote attacker to trigger a heap overflow by providing a specially crafted tar archive. The issue occurs during the parsing of a PAX extended header containing a malformed SUN.holesdata sparse-file attribute. Successful exploitation could lead to a denial of service, making the system unavailable, or potentially allow for arbitrary code execution, giving the attacker control over the affected system.

Heap-based Buffer Overflow

Stack Buffer Overflow in GStreamer DTLS Plugin (CVE-2026-59692)
CVE-2026-59692 7.5 - High - July 09, 2026

A stack buffer overflow vulnerability was found in GStreamer's DTLS plugin. During a DTLS handshake, the peer certificate Subject Distinguished Name is printed into a fixed-size 2048-byte stack buffer without bounds checking. A remote unauthenticated attacker can send a certificate with an oversized Subject DN that exceeds the buffer, causing a stack buffer overflow and process crash, resulting in denial of service.

Stack Overflow

GStreamer rfbsrc plugin heap buffer overflow via Hextile
CVE-2026-59691 7.1 - High - July 09, 2026

A heap buffer overflow vulnerability was found in GStreamer's rfbsrc plugin. When a client connects to a malicious RFB/VNC server that advertises a 16bpp framebuffer and sends Hextile-encoded updates, the Hextile background fill path writes 32-bit pixel values into a buffer allocated for 16-bit pixels. This type mismatch causes an out-of-bounds heap write that can lead to denial of service (process crash) and potential memory corruption.

Memory Corruption

389 Directory Server PBKDF2SHA256 Timing Attack via NonConstant Memcmp
CVE-2026-15041 3.7 - Low - July 08, 2026

A flaw was found in 389 Directory Server. The PBKDF2-SHA256 password verification function uses standard memcmp() for comparing password hashes instead of a constant-time comparison function. A remote attacker could potentially use timing measurements of LDAP bind attempts to infer partial hash information, though practical exploitation is extremely difficult due to PBKDF2 computational overhead.

Observable Timing Discrepancy

389-ds Base Static IV Attack (AES-CBC/3DES-CBC)
CVE-2026-14969 4.4 - Medium - July 07, 2026

A flaw was found in 389-ds-base where the LDBM backend attribute encryption uses a hardcoded static initialization vector for AES-CBC and 3DES-CBC operations, allowing an attacker with privileged filesystem access to detect plaintext equality across encrypted entries by comparing ciphertext blocks.

Not Using an Unpredictable IV with CBC Mode

GStreamer webrtcbin logic flaw bypasses SDP fingerprint check
CVE-2026-14935 3.7 - Low - July 07, 2026

A logic vulnerability was found in GStreamer's webrtcbin component. The _check_sdp_crypto() function contains an inverted boolean condition that causes it to accept remote SDP offers or answers that lack the required a=fingerprint attribute, while incorrectly rejecting those that include it. An attacker with the ability to intercept and modify WebRTC signaling messages could exploit this to bypass the SDP-level DTLS certificate fingerprint binding, weakening defenses against man-in-the-middle attacks on media streams.

Always-Incorrect Control Flow Implementation

Heap Buffer Overflow in 389Directory Server DN Normalization
CVE-2026-14940 5.3 - Medium - July 07, 2026

A heap-buffer-overflow flaw was found in 389 Directory Server (389-ds-base). When normalizing a Distinguished Name (DN) that contains a legacy-quoted value encoding a multivalued nested Relative Distinguished Name (RDN), the server can write past the end of a heap allocation while sorting RDN attribute-value pairs. An unauthenticated remote attacker can trigger this condition by sending an LDAP operation whose DN reaches the DN normalization routine, such as a search with a crafted base DN. This can corrupt heap memory and may cause denial of service.

Heap-based Buffer Overflow

389-ds-base 1.3.2+ Heap Buffer Overflow via oversized LDAP UNBIND
CVE-2026-11610 8.8 - High - July 07, 2026

A heap buffer overflow flaw was found in the SASL I/O layer of 389 Directory Server (389-ds-base). After a successful SASL bind with integrity protection (SSF > 0), an authenticated attacker can send a specially crafted oversized LDAP UNBIND packet that is copied into a 512-byte heap receive buffer without a bounds check in sasl_io_recv() in sasl_io.c. This allows up to approximately 2 megabytes of attacker-controlled data to overflow the buffer, causing a denial of service (server crash). In FreeIPA and Red Hat Identity Management deployments, any domain user with a valid Kerberos ticket, any enrolled host, or any service account can trigger this vulnerability over the network after authenticating via GSSAPI. The vulnerable code path has existed since approximately 2013 (389-ds-base 1.3.2) and was not addressed by the CVE-2025-14905 fix, which patched a separate heap overflow in schema.c only.

Heap-based Buffer Overflow

SSSD AD GPO Path Traversal Enables Root Write & Auth Bypass
CVE-2026-14476 8 - High - July 07, 2026

A path traversal flaw was found in SSSD's AD GPO provider. The ad_gpo_extract_smb_components() function does not sanitize .. sequences in the gPCFileSysPath LDAP attribute, allowing an attacker with AD GPO management access to write files outside the GPO cache directory as root. On default RHEL configurations with SELinux enforcing, this can be used to inject Kerberos configuration leading to authentication bypass.

Relative Path Traversal

SSSD LDAP Sudo Escalation: Unconfigured Search Base Allowing Root Privileges
CVE-2026-14474 8.8 - High - July 07, 2026

A flaw was found in SSSD's LDAP sudo provider. When the ldap_sudo_search_base option is not explicitly configured, SSSD searches the entire LDAP directory tree for sudoRole objects. An authenticated attacker with write access to any subtree can inject a sudoRole object granting root-level sudo privileges on all SSSD-enrolled hosts.

Insecure Default Initialization of Resource

Integer Overflow in GIMP PSD Parser read_RLE_channel
CVE-2026-58384 7.3 - High - July 07, 2026

A flaw was found in GIMP's PSD parser. An integer overflow in read_RLE_channel() can cause an undersized heap allocation for the RLE row-length table, after which subsequent per-row writes corrupt heap memory. This could lead to memory corruption, potentially resulting in denial of service or arbitrary code execution.

Integer Overflow or Wraparound

GIMP TIM Loader int Overflow in CLUT multiplier causing DoS
CVE-2026-59089 5.5 - Medium - July 06, 2026

A flaw was found in GIMP. The PlayStation TIM loader, responsible for handling PlayStation image files, incorrectly calculates the size of the Color Look-Up Table (CLUT) due to an integer overflow. This occurs when multiplying num_colors and num_cluts, both 16-bit unsigned short integers, resulting in a value exceeding the maximum integer limit. An attacker could exploit this by providing a specially crafted image file, leading to undefined behavior and causing the GIMP plug-in to abort, effectively resulting in a denial of service.

Integer Overflow or Wraparound

GIMP PNM Parser Off-By-One Buffer Overrun
CVE-2026-58380 7.3 - High - July 06, 2026

A flaw was found in GIMP's PNM file format parser. When parsing a specially crafted PNM file, the pnmscanner_gettoken() function writes a null terminator one byte past the end of a stack-allocated buffer due to an off-by-one error in the loop boundary check. This could lead to memory corruption, potentially resulting in denial of service or arbitrary code execution.

off-by-five

GIMP PSP Parser Heap Overflow Arbitrary Code Execution
CVE-2026-58379 7.3 - High - July 03, 2026

A flaw was found in GIMP's Paint Shop Pro (PSP) file format parser. This heap buffer overflow vulnerability allows a remote attacker to cause arbitrary code execution or a denial of service (DoS) by tricking a user into opening a specially crafted PSP image file. The vulnerability occurs because the software incorrectly calculates buffer sizes when processing low bit-depth images, leading to an overwrite of adjacent memory.

Heap-based Buffer Overflow

Off-by-One in FreeIPA ipa-otpd OAuth2 Handler OOB Memory Access
CVE-2026-14612 4.2 - Medium - July 03, 2026

Two off-by-one errors in the FreeIPA ipa-otpd daemon's OAuth2 device authorization handler can cause out-of-bounds memory access when processing an oversized response from a configured external OAuth2/OIDC Identity Provider. An attacker who controls or can man-in-the-middle the IdP endpoint may be able to trigger ipa-otpd to write or read one byte past the end of a fixed-size buffer. Exploitation requires FreeIPA to be configured with an external IdP, attacker control or MITM of that IdP, and a user to initiate the OAuth2 device authorization flow. The most likely impact is limited denial of service affecting the ipa-otpd daemon.

Memory Corruption

Integer Overflow in HP HPLIP hpcups Remote Priv Escalation
CVE-2026-14544 9.8 - Critical - July 03, 2026

A flaw was found in HPLIP (HP Linux Imaging and Printing Software). This vulnerability, an incomplete fix for CVE-2026-8631, may allow a remote attacker to escalate privileges or achieve arbitrary code execution. This can occur through an integer overflow in the hpcups processing path when handling specially crafted print data.

Integer Overflow or Wraparound

GIMP PSP File Parser Double-Free Vulnerability
CVE-2026-58381 6.1 - Medium - July 02, 2026

A flaw was found in GIMP's PSP file format parser. A double-free condition occurs in the read_layer_block() function when processing a specially crafted PSP file. This could allow an attacker to cause memory corruption, potentially leading to denial of service or arbitrary code execution.

Double-free

PulseAudio Unbounded alloca() Calls in Protocol Server
CVE-2026-14330 5.5 - Medium - July 01, 2026

Multiple unbounded alloca() calls in the PulseAudio protocol server.

Allocation of Resources Without Limits or Throttling

RAOP Module Accepts Unbounded ContentLength Values (CVE202614324)
CVE-2026-14324 6.5 - Medium - July 01, 2026

RAOP module accepts unbounded Content-Length values and does not check the pw_array_add() return.

NULL Pointer Dereference

dhcpcd ND Router Advertisement Zero-Length Option DoS
CVE-2026-14258 6.5 - Medium - July 01, 2026

A flaw was found in dhcpcd's IPv6 Neighbor Discovery Router Advertisement processing. A specially crafted IPv6 Router Advertisement containing a zero-length Neighbor Discovery option can bypass validation during packet storage and later be reparsed without adequate validation, causing the parser to enter a non-advancing loop. Successful exploitation may result in excessive CPU consumption, leading to a denial of service.

Infinite Loop

GLib g_dbus_node_info_new_for_xml uint overflow OOB read DoS
CVE-2026-58016 7.5 - High - June 30, 2026

A flaw was found in GLib. A state confusion issue exists in g_dbus_node_info_new_for_xml() in the gio/gdbusintrospection.c file when processing malformed D-Bus introspection XML, specifically with a <node> element nested within other elements like <method>, <signal>, <property> or <arg>. This issue can cause an unsigned integer overflow and lead to an out-of-bounds read, resulting in a denial of service.

Integer underflow

GLib D-Bus DBUS_COOKIE_SHA1 Auth: CookieCtx Path Traversal CVE-2026-58015
CVE-2026-58015 5.9 - Medium - June 30, 2026

A flaw was found in GLib. The D-Bus client-side implementation of the DBUS_COOKIE_SHA1 SASL authentication mechanism does not validate the cookie_context parameter received from the server. A malicious D-Bus server can supply a cookie_context containing path traversal sequences, causing the client to read an arbitrary file and exfiltrate sensitive data by verifying guessed file contents against a generated hash.

Directory traversal

GLib g_key_file Off-By-One Array Index Bug Causing OOB Access
CVE-2026-58014 7.3 - High - June 30, 2026

A flaw was found in GLib. An off-by-one error can occur in the g_key_file_get_locale_string_list function in the gkeyfile.c file when loading a key file with an empty value. This flaw can cause an out-of-bounds access of 1 byte or a denial of service when the out-of-bounds access crosses a page boundary.

off-by-five

GLib Buffer Over-Read in giochannel.c Minor Info Disclosure & DoS
CVE-2026-58013 6.5 - Medium - June 30, 2026

A flaw was found in GLib. A buffer over-read can occur in g_io_channel_read_line_backend() in the giochannel.c file when a custom line terminator with a length greater than one is set, causing memcmp to read past the GString buffer. This vulnerability can cause a minor information disclosure of 7 bytes or a denial of service when the buffer over-read crosses a page boundary.

Buffer Over-read

GLib g_regex_replace over-read via G_REGEX_RAW causing info leak & DoS
CVE-2026-58012 6.5 - Medium - June 30, 2026

A flaw was found in GLib. A buffer over-read can occur in the g_regex_replace function when used with the `G_REGEX_RAW` compile flag and case-change replacement escapes because the string_append function processes matched substrings using UTF-8 functions that assume valid UTF-8 input, even when the string is treated as raw bytes. This vulnerability can cause a minor information disclosure of 1-5 bytes and a denial of service when the buffer over-read crosses a page boundary.

Buffer Over-read

GLib Off-by-One in gvs_tuple_is_normal leads to 1byte OOB Read
CVE-2026-58010 6.5 - Medium - June 30, 2026

A flaw was found in GLib. An off-by-one error can occur in the gvs_tuple_is_normal function in the glib/gvariant-serialiser.c file when doing an alignment padding check because the bounds check uses > instead of >=, causing an out-of-bounds read of only 1 byte. This issue can cause a minor information disclosure of 1 byte and a denial of service when the out-of-bounds read crosses a page boundary.

Buffer Over-read

Out-of-bounds read in GLib g_date_time_get_ymd
CVE-2026-58011 6.5 - Medium - June 30, 2026

A flaw was found in GLib. An out-of-bounds read of only 2 bytes can occur in the g_date_time_get_ymd function in the glib/gdatetime.c file when an invalid GDateTime object produced by the g_date_time_add_full function is processed. This flaw can corrupt the date output and potentially cause logic errors that may lead to a denial of service.

Out-of-bounds Read

SSSD PAM Responder UAF Crash via YubiKey Manipulation DOS & Possible Priv Esc
CVE-2026-12610 6.4 - Medium - June 30, 2026

A flaw was found in sssd. When authenticating with a YubiKey, the SSSD PAM responder can crash due to a use-after-free vulnerability, where a memory pointer is incorrectly handled. A local attacker could exploit this flaw by manipulating smartcard or YubiKey contents, leading to a denial of service that disrupts authentication. This vulnerability also presents a potential for privilege escalation, although it is difficult to exploit.

Dangling pointer

Double-Free in libarchive RAR5 Reader
CVE-2026-14164 7.5 - High - June 30, 2026

A double free issue has been identified in libarchive's RAR5 reader. During parsing of a specially crafted RAR5 archive, the filtered_buf pointer may remain stale after being freed during unpacking state reinitialization. Subsequent processing of another archive entry can trigger a second free of the same memory region, resulting in a double-free condition. Successful exploitation may cause applications using the vulnerable libarchive API to terminate unexpectedly, leading to a denial of service.

Double-free

Stack Exhaustion in p11-kit via Nested CKA Template Recursion
CVE-2026-13757 6.2 - Medium - June 29, 2026

A flaw was found in p11-kit. The RPC message attribute parsing functions p11_rpc_message_get_attribute() and p11_rpc_message_get_attribute_array_value() form a mutually-recursive call chain with no recursion depth limit when processing nested CKA_WRAP_TEMPLATE, CKA_UNWRAP_TEMPLATE, and CKA_DERIVE_TEMPLATE attributes. An unauthenticated attacker with local access to the p11-kit RPC Unix domain socket can send a specially crafted request with deeply nested template attributes, causing stack exhaustion and crashing the p11-kit server process and its dependent services.

Stack Exhaustion

Heap-based Buffer Overflow in libtiff PixarLog Decoder
CVE-2026-12912 7.3 - High - June 29, 2026

A flaw was found in libtiff. A remote attacker could exploit this vulnerability by providing a specially crafted PixarLog-compressed TIFF image. This issue occurs when decoding Pixarlog codec images with the PIXARLOGDATAFMT_8BITABGR output format and a specific stride value, leading to a heap-based buffer overflow. This could potentially result in arbitrary code execution or a denial of service (DoS).

Heap-based Buffer Overflow

fast-uri <=3.1.2/4.0.0 Unicode IDN Canonicalization Bug
CVE-2026-13676 7.5 - High - June 29, 2026

fast-uri versions 2.3.1 through 3.1.2 and 4.0.0 fail to canonicalize Unicode (IDN) hostnames for HTTP-family URLs. The IDN conversion path calls a helper that does not exist on the global URL constructor, silently leaving the host in its original Unicode form while normalize() and equal() still return values that differ from a WHATWG-compatible URL parser. Applications that use fast-uri to enforce host-based policy (denylists, loopback filtering, redirect validation, outbound proxy routing) before passing the same URL to Node's URL or fetch can be bypassed when the two implementations resolve the same input to different hosts. Patches: upgrade to fast-uri 3.1.3 for the 3.x line or 4.0.1 for the 4.x line. Workarounds: enforce host policy using the same URL parser used for the actual request, or reject non-ASCII hosts before policy checks.

Interpretation Conflict

Local Priv Escalation via Symlink Traversal in attr <2.6.0 Getfattr/Setfattr
CVE-2026-54371 6.3 - Medium - June 29, 2026

attr before version 2.6.0 contains a symlink traversal vulnerability in the getfattr and setfattr utilities that allows local attackers to escalate privileges by replacing a pathname component with a symbolic link during directory hierarchy traversal. Attackers who control a pathname component can redirect getfattr and setfattr operations to arbitrary files by substituting a symlink, leading to local privilege escalation when getfattr or setfattr is invoked by a privileged process over an attacker-controlled path.

insecure temporary file

Linux ACL pre-2.4.0 Symlink Traversal in acl_get_file() & others - Priv Esc
CVE-2026-54369 7.1 - High - June 29, 2026

acl before version 2.4.0 contains a symlink traversal vulnerability in the libacl pathname-based functions acl_get_file(), acl_set_file(), acl_extended_file(), and acl_delete_def_file() that allows local attackers to escalate privileges by replacing any pathname component with a symbolic link. Attackers who control any component of a pathname processed by a privileged caller can redirect ACL read or write operations to arbitrary files or directories, enabling unauthorized manipulation of access control lists and local privilege escalation.

insecure temporary file

Yelp yelp-xsl CSP Permissiveness Lets Flatpak Bypass Sandbox
CVE-2026-13601 7.1 - High - June 29, 2026

A flaw was found in Yelp due to an overly permissive Content Security Policy (CSP) implementation provided by yelp-xsl. A malicious Flatpak application can open crafted help content through the OpenURI portal. By embedding an untrusted CSS stylesheet within a structured SVG document, attacker-controlled content can bypass Flatpak's intended sandbox isolation, allowing Yelp to evaluate local XML inclusions and disclose arbitrary user-readable host files through remote CSS resource requests. This may result in the unauthorized disclosure of sensitive information.

Protection Mechanism Failure

Heap UAF in util-linux libblkid during nested probing
CVE-2026-13595 6.8 - Medium - June 29, 2026

A flaw was found in the libblkid library of util-linux. During nested partition probing, the BSD, Minix, Solaris x86, and UnixWare partition probers cache a raw pointer to a parent partition entry in a dynamically allocated array. When subsequent partition additions cause the array to be reallocated, this pointer becomes stale, leading to a heap use-after-free read. An attacker who can present a crafted block device image (for example, via USB insertion or a loop-mounted disk image) can trigger this flaw without user interaction, as libblkid is invoked automatically by udev/udisks as root on block-device hot-plug events. This could lead to limited information disclosure or denial of service.

Dangling pointer

Path Traversal in spice-vdagent Enables Arbitrary File Write
CVE-2026-57966 4.4 - Medium - June 29, 2026

A path traversal vulnerability was found in spice-vdagent. This flaw allows a malicious or compromised SPICE host to write arbitrary files to any location on the guest operating system. This occurs because the filename provided by the SPICE host during file transfers is not properly sanitized before being used. An attacker could exploit this to write to sensitive locations with the privileges of the spice-vdagent process, typically the logged-in user. This issue requires the SPICE host to be untrusted or compromised for exploitation.

Directory traversal

spice-vdagent Integer Overflow Heap Buffer Overflow DoS
CVE-2026-57965 5.1 - Medium - June 29, 2026

A flaw was found in spice-vdagent. A malicious or compromised SPICE host can trigger an integer overflow by sending a specially crafted message. This vulnerability can lead to a heap buffer overflow, causing the spice-vdagent daemon to crash and resulting in a Denial of Service (DoS) for the virtual machine. This issue requires the SPICE host to be untrusted or compromised for exploitation.

Integer Overflow or Wraparound

Linux Kernel VFIO PCI: Clean DMABUF before Function Disable
CVE-2026-53322 7 - High - June 26, 2026

In the Linux kernel, the following vulnerability has been resolved: vfio/pci: Clean up DMABUFs before disabling function On device shutdown, make vfio_pci_core_close_device() call vfio_pci_dma_buf_cleanup() before the function is disabled via vfio_pci_core_disable(). This ensures that all access via DMABUFs is revoked before the function's BARs become inaccessible. This fixes an issue where, if the function is disabled first, a tiny window exists in which the function's MSE is cleared and yet BARs could still be accessed via the DMABUF. The resources would also be freed and up for grabs by a different driver.

Premature Release of Resource During Expected Lifetime

Linux Kernel: iommu/vt-d NULL pointer deref (Use-After-Free)
CVE-2026-53281 7 - High - June 26, 2026

In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Avoid NULL pointer dereference or refcount corruption Commit 60f030f7418d ("iommu/vt-d: Avoid use of NULL after WARN_ON_ONCE") fixed a NULL pointer dereference in an unlikely situation partly. If dev_pasid is not found in the dev_pasids list, it remains NULL. However, the teardown operations are executed unconditionally, this lead to a NULL pointer dereference or refcount corruption. If the domain was never attached to this IOMMU, info will be NULL, which would cause an immediate dereference when checking --info->refcnt. Even if info is not NULL, decrementing the refcount without having removed a valid PASID might unbalance the count. This could lead to premature dropping of the refcount to 0, potentially causing a use-after-free for the remaining active devices sharing the domain. Fix it by returning early if dev_pasid is NULL, before executing the teardown operations. Issue found by AI review and suggested by Kevin Tian. https://sashiko.dev/#/patchset/20260421031347.1408890-1-zhenzhong.duan%40intel.com

Node.js WebCrypto Crash via 2GiB Input in subtle.encrypt
CVE-2026-48933 7.5 - High - June 26, 2026

A flaw in Node.js WebCrypto implementation can crash the process if the input of `subtle.encrypt()` is a multiple of 2GiB. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.

Integer Overflow or Wraparound

Node.js TLS Hostname Normalization Bypass via Unicode Dot Separator
CVE-2026-48618 7.7 - High - June 26, 2026

A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat. This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.

Improper Handling of Unicode Encoding

KVM ARM64 srcu lock bug in page table walk (CVE-2026-53277)
CVE-2026-53277 7 - High - June 25, 2026

In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Take the SRCU lock for page table walks in fault injection and AT emulation walk_s1() and kvm_walk_nested_s2() expect to be called while holding kvm->srcu to guard against memslot changes. While this is generally the case, __kvm_at_s12() and __kvm_find_s1_desc_level() call into the respective walkers without taking kvm->srcu. Fix by acquiring kvm->srcu prior to the table walk in both instances.

Missing Synchronization

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Red Hat Enterprise Linux (RHEL) or by Red Hat? Click the Watch button to subscribe.

Red Hat
Vendor

subscribe